Arraya Insights | February 17, 2017
I’d like to start this blog entry with a disclaimer – I am certainly not advocating that you are going to stop all malware threats by installing antivirus software. I’m not even suggesting that traditional signature based antivirus software will block 50% of the malware out there. What I’m saying is that, when used correctly, endpoint protection software can significantly reduce the likelihood of compromise. Typically antivirus software is installed in “set it and forget it” mode which is why it’s so ineffective. Listed below are 5 ways endpoint protection software is often misused and how to better utilize it:
1. You’re Not Looking at the Logs
While antivirus software may not catch everything, it will catch a lot and it’s important that you’re looking at the threats it’s stopping. Are the same people getting flagged all the time? Is it the same malware all the time? Can you see a pattern where malware is suddenly appearing on multiple machines? These alerts tell a story and it’s usually tied to user behavior. Logs can point you toward whether the bad stuff identified is getting in via email, web browsing, or both. These types of investigations can also lead to other security concerns the antivirus didn’t catch. You can use the data to determine who the high-risk users are and address the problem at the source. If you’re ignoring the logs though, you’ll never be able to take preventative action.
2. You’re Not Blocking Removable Media
Walk around your facility. How many people are charging their phones via USB on their work computer? Every time you go to a trade show or conference, there are tables of USB drives that anyone can pick up for free. The typical users aren’t thinking about the threat these devices pose to the overall network. Blocking these devices from connecting to PCs reduces the threat footprint. The logs also tell a story about who the troublemakers are. You can then whitelist the USB drives that are authorized and log when they are used. This data can be critical in identifying who may or may not have used removable media to steal data from your systems.
3. The Host-Based Firewall is Disabled
Managing a host-based firewall for PCs can be difficult, particularly because you never know what ports, protocols, or software updates each computer or application needs in order to operate normally. In that instance, for the most part, default settings are acceptable. On servers, however, you should know exactly what the communication requirements are and block everything else. For example let’s assume someone does gain a foothold into the network and starts trying to run discovery scans to identify live resources. In many cases, a host-based firewall can block those requests so an attacker can’t find them. These controls serve as a critical layer of additional protection in the event someone gets past the first layer of controls, and can provide data around what’s trying to connect to a machine that shouldn’t be.
4. Application Whitelisting is Turned Off
In fairness to most administrators, application whitelisting can be a nightmare to implement. It involves hashing all of the files on a company’s standard image and only allowing those files to run on the computer. From a security perspective, this can be hard to crack because you’re only allowing what you know to be authorized to execute on the machine. An executable file trying to run that wasn’t on the initial secured imaged would be blocked. Furthermore, each time you patch the PC you will need to update the application whitelist for each patch, on each piece of hardware. Get this process right and you have a valuable way to protect PCs and get data on what’s trying to execute that shouldn’t be.
5. Communication is Ineffective
Think about what happens when your endpoint protection system does stop malware. Typically, the default settings on the software message will trigger a pop up box that reads “Device DellPro-2341 has detected exploit CVE-123-2017 and quarantined the file. Click here for more info.” Or, in some cases, nothing at all will pop up. That messaging doesn’t really strike fear into the hearts of your users. Contrast that with a message that reads “Hey buddy! That email attachment you opened infected our network with malware – we’re subtracting $100 from your next paycheck!” You may not be able to use that exact language, but at least take advantage of the teachable moment. Even better, have someone call them as soon as it happens. When system users know they are being watched and will be held accountable for their actions, they are less likely to plug in that iPhone or click on that YouTube video.
Where to turn for an endpoint security assist
Need a hand better securing your endpoints against today’s cyber threats? Have a different cyber security issue on your mind? Arraya Solutions’ Cyber Security Practice is here to help. They can be reached at www.arrayasolutions.com/contact-us/. Or, feel free to get in touch with Arraya directly trough our social media presence: LinkedIn, Twitter, and Facebook.